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Abstract 

We show that computing the approximate length of the shortest 
vector in a lattice within a factor c is NP-hard for randomized reduc- 
tions for any constant c < y/2. 
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1 Introduction 

In this paper we show that approximating the shortest vector in a lattice 
within any constant factor less than \/2 is NP-hard for randomized reduc- 
tions. 

The hrst intractability results for lattice problems date back to [10] where 
van Emde Boas proved that the closest vector problem (CVP) is NP-hard 
and conjectured that the shortest vector problem was also NP-hard. 

Altough much progress was done in proving the hardness of CVP [3]T 
where the problem is proved NP-hard to approximate within any constant 
factor and quasi-NP-hard within quasi-polynomial factorsrthe hardness of 
computing even the exact solution to the SVP remained an open question 
until recently when Ajtai [2] proved that the SVP is NP-hard for randomized 
reductions. In the same paper it is shown that approximating the length of 
the shortest vector within a factor 1 + ^r is also NP-hard for some constant 
c and in [5] is shown how to improve the inapproximability factor to 1 + -\T 
but still a factor that rapidly approachs 1 as the dimention of the lattice 
grows. 

In this paper we prove the hrst inapproximability result for the shortest 
vector problem within some constant factor greater than 1. This result is 
achieved by reducing the approximate SVP from a variant of the CVP which 
can be proven NP-hard to approximate using essentially the same arguments 
as in [3]. The techniques to reduce CVP to SVP are similar to those used 
in [2] where the problem is reduced from a variant of subset sum. However 
the similarities between the CVP and the SVP leads both to a much simpler 
proof and a much stronger result. 

The rest of the paper is organized as follows. In section 2 we formally 
define the shortest vector and closest vector approximation problems. In 
section 3 we prove the NP-hardness of a variant of the closest vector ap- 
proximation problem. In section 4 we prove that the SVP is NP-hard to 
approximate by reduction from the modified CVP using a technical lemma 
which is proved in section 5. 



2 Definitions 

We formalize the approximation problems associated to the shortest vector 
problem and the closest vector problem in terms of the following promise 
problemsFas done in [6]. 

Definition 1 (Approximate SVP) The promise problem GapSVP g; where 
g (the gap function) is a function of the dimension, is defined by 

• YES instances are pairs (V,d) where V is a basis for a lattice in R n , 
d G R and ||Vz|| 2 < d for some z G Z n \ {0}. 

• NO instances are pairs (V,d) where V is a basis for a lattice in R n , 
de R and \\Vz\\ 2 > g{n)d for all z G Z n \ {0}. 

Definition 2 (Approximate CVP) The promise problem GapCVP g; where 
g (the gap function) is a function of the dimension, is defined by 

• YES instances are triples (V,y,d) where V G Z kXn , y G R k , d G R and 
|| Vz — y|| 2 < d for some zGZ". 

• NO instances are triples (V,y,d) where V G Z kXn , y G R k , d G R and 
|| Vz — y|| 2 > g(n)d for all z. 

We also define a variant of CVPrwhich will be used as an intermediate 
step in proving the hardness of approximating the shortest vector in a lat- 
tice. The difference is that the YES instances are required to have a boolean 
solutionFand in the NO instances the target vector can be multiplied by any 
non-zero integer. 

Definition 3 (Modified CVP) The promise problem GapCVP' where g (the 
gap function) is a function of the dimension, is defined by 

• YES instances are triples (V,y,d) where V G Z kXn , y G R k , d G R and 
|| Vz — y|| 2 < d for some z G {0, f } n . 

• NO instances are triples (V,y,d) where V G Z kXn , y G R k , d G R and 
|| Vz — u>y|| 2 > g(n)d for all z G Z n and all w G Z . 



3 Hardness of approximating CVP 

In this section we prove that the modified CVP is NP-hard to approximate 
within any constant factor. The proof is by reduction from set cover and is 
essentially the same as in [3]. 

Definition 4 (Set-Cover) An instance of set-cover consists of a ground set 
U and a collection of subsets Si, ... , S m of U . A cover is a subcollection of 
the Si's whose union is U. The cover is said to be exact if the sets in the 
cover are pairwise disjoint. 

In [4]rBellarerGoldwasser et al. show that for every constant c > I there 
is a polynomial time reduction thatTon input an instance <f> of SATPproduces 
an instance of set-cover and an integer d with the following properties: 



If 



is 



satishablerthere is an exact cover of size dT 



If 



is 



not satishablerthen no set cover has size less than cd. 



This result is used in [3] to show that the closest vector problem is hard 
to approximate within any constant factor. In fact r the same reduction can 
be used to prove that the modified CVP is NP-hard to approximate within 
any constant factor. 

Theorem 1 For every constant c > 1 the promise problem GapCVP' c is NP- 
hard. 

Proof: Let c be a constant greater than one. We reduce SAT to GapCVP' c . 
Let <f> be an instance of SAT. Apply the reduction from BellarePGoldwasser 
et al. [4] to the formula (pTto obtained instance of set-cover U, Si, . . . , S m 
and integer k. Let n be the size of U and let S G {0, l} nXm be the matrix 
defined by Sij = 1 iff i G S r 
Define N and y as follows: 



N 



aS 
I 



y 



al 




where a is an integer such that a 2 > ck. 



• Assume <f> is satisfiable. ThenTU has an exact cover {Si}i e i of size 
|7| = k. Let x G {0,l} m be the indicator vector of set 7. We have 
Sx = 1 and ||x|| 2 = J2 x i = k. Therefore 

II AT~> — * 1 1 2 2 II o-* -V* 1 1 2 i || ||2 ; 

||Ax — y|| =a ||dx— 1|| + \\x\\ = k, 
i.e.L(A, y) is a YES instance of the modihed CVP. 

• Assume <f> is not satishable. Then every subset {Si}i e i of size |7| < ck 
is not a cover. Let x G Z m and w G Z \ {0}. We want to prove that 
||Ax — u>y|| 2 > ck. Notice that ||Ax — wy\\ 2 = a 2 ||Sx — wl\\ 2 + ||x|| 2 . 
We show that either a 2 ||Sx — wl\\ 2 or ||x|| 2 is greater than ck. Assume 
||x|| 2 < ck. We will prove that ||Sx — wl\\ 2 > lLwhich by our choice of 
a implies a 2 \\S5t — wl \\ 2 > ck. Let 7 be the set of all i such that X{ ^ 0. 
Notice that |7| < J2 \ x i\ ^ S x \ = || z || 2 ^ c ^- Therefore {Si}i e i is not 
a cover. Let j G U be such that j (^ {Ji e i S{. We have [Sx]j = and 
therefore \\S5t — wl\\ 2 > ([Sx\j — w) 2 > w 2 > 1. 



a 



4 Hardness of approximating SVP 

In this section we use the hardness of approximating the closest vector in a 
lattice to show that the shortest vector problem is also hard to approximate 
within some constant factor. The proof uses the following technical lemma. 

Lemma 1 For any constant e > there exists a PPT algorithm that on 
input l k computes a lattice L G p l ( m + 1 ) Xm ; a vector s G 77 m+1 and a matrix 
C G Z kXm such that with probability arbitrarily close to one, 

• For every non-zero z G Z m , \\Lz\\ 2 > 2. 

• For all x G {0,l} fc there exists a z G Z m such that Ci = x and 
||7z-s|| 2 < 1 + e. 

The proof of the above lemma will be given in the next section. We can 
now prove the main theorem. 



Theorem 2 The shortest vector in a lattice is NP-hard to approximate within 
any constant factor less than \/2. 

Proof: We will show that for any e > the squared norm of the shortest 
vector is NP-hard to approximate within a factor 2/(1 + 2e). The proof is 
by reduction from the modified closest vector problem. Formallyrwe give a 
reduction from GapCVP' c to GapSVP g with c = 2/e and g = 2/(1 + 2e). 

Let (iV, y,o?) be an instance of GapCVP' c . We define an instance (V,t) of 
GapSVPg such that if (N,y,d) is a YES instance of GapCVP' c then (V,t) is a 
YES instance of GapSVP g Fand if (N,y,d) is a NO instance of GapCVP' c then 
(V,t) is a NO instance of GapSVPg. 

Let L, s and C be as defined in lemma 1. Let t = 1 + 2e and let V be the 
matrix 



V 



P 



T 

NoC 



— s 

-P-y 



where f3 



• Assume that (iV, y,o?) is a YES instanceLi.e.Lthere exists a vector x G 
{0,l} fc such that ||iVx 
z G Z m such that Ci = x and \\Lz 
z 
1 



y|| 2 ^ d. From lemma 1 there exists a vector 
sll 2 < 1 + e. Define the vector 



w 



Weh 



ave 



||Vw|| 2 = || Zz - s|| 2 + /3 2 ||iVx - y|| 2 < 1 + 2e = t 
i.e.T(V,t) is a YES instance of GapSVPg. 



Now assume that (iV, y, d) is a NO instance and let w 



z 

w 



G Z m+1 



be a non-zero vector. We want to prove that ||Vw|| > g-t = 2. Notice 



that ||Vw 
WLz 



?r I I 2 



\Lz 



ws 



0*112 



+ /3 2 ||iVx 



u;y|| 2 . 



ws 



0*112 



We prove that either 
or /3 2 ||iVx — wy\\ 2 is greater than 2. If w = then z ^ 



and \\Tz — wy 



.til 2 



Zz|| 2 > 2. Ifu;^0then/3 2 ||iVx-u;y|| 2 > (3 2 cd = 2. 
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5 Proof of the Technical Lemma 

To prove lemma 1 we need a result from [2] and two other lemmas. 

Lemma 2 For all e > ; for all sufficiently large integers b, the following 
holds. Let pi } . . . } p m be m relatively prime positive integers. Let P £ R m 
be the vector Pi = log 6 pi and let D £ p l mXm be the diagonal matrix Di^ = 



J\og h pi. Define the matrix 



L 



D 

l/a 

{3P /3/blnb 



\f lo EbPi 







\/log& Pm 











l/a 


. /31og 6 Pi • 


• /31og 6 Pm 


f3/blnb _ 



where a = \b f ' 2 and f3 > \/2blnb. Then for all non-zero integer vectors 
z £ Z m+1 , \\Lzf > (2-e). 

Proof: Let z £ Z m+1 be a non-zero vector. Define the vector z' = [z\, . . . , £ m ] 7 
Notice that 



\Lz 



^l|2 



Dz'\\ z + 



^•m + 1 



+ /3 2 (Pz' + 



^•m + 1 

blnb 



We want to prove that ||ivz|| 2 > 2 — e. 
If z' = Orthen z m+ i ^ and 



Lz\\ 2 >(3 2 [Pz' + 



^ra-\-l 

blnb 



P 



blnb, 



Z m + 1 — 



P 



blnb, 



> 2. 



SoL assume z' ^ 0. Let z + ,z~ £ Z m be the vectors defined by zf = 

max{z-, 0} and z~ = max{— z',0}. Define the integers g + = b Pz = TliP;' 

and g~ = b z = TliPi' . Notice that z' ^ implies z + ^ z~ and since 
the p 8 's are relatively primeL g + ^ g~ . We observe that for any posi- 



tive integers x ^ yT\log b x — log b y\ > 



xylgb 



(proof: |log 6 x - log b y\ 



log 6 (max{x,j/}/min{x,j/}) = log 6 (f + \x-y\/mm{x, y}) > log b (l + l/y/xy) > 
log b 2/y / ~xy = l/(^/xylgb).) In particularL \Pz'\ = \log b g + — log b g~\ > 



6 



(\/g + g~ lg b) 1 Tand since log 6 g + g = Pz + + Pi < ||Dz + || 2 + \\Dz || 2 = 
||_Dz'|| 2 we have 

IP?' I > 

62 lg b 

Now assume for contradiction that ||ivz|| 2 < 2 — e. We have ||_Dz'|| 2 < 2 — e 
and |z m+ i| < a\/2. It follows 



\Lz\\ > f3 



Pz' + 



blnb 



> P[\PZ 



^•m + 1 



blnb 



> P 



1 



b 1 -^ 2 lg 6 ~ blnb, 



> 



P 



b t/2 In 2 - aV2 



blnb, 

> v / 2& e/2 (ln2- ^2/3) > ^2 



a 



Lemma 3 Let Z 6e £/ie matrix defined in lemma 2 and assume f3 < b 2 e . 
Define the vector s = [0, . . . , 0, f3] T G R m+2 . For every vector z' G {0, l} m ; 



/e£ g 



n? 



-.iPi 



an 



d z 



[(z') , b — g] . For every positive 6 < 1/2, if 



\z m+ i\ = \b — g\ < 6a, then \\Lz — s|| 2 < 1 + <5. 
Proof: Notice that 



\Dz 



z'\\ 2 



Pz' = logfefi- = log 6 (6 - 2r ro+ i) = 1 + log 6 1 



^m + 1 



ThereforeFusing the inequality |ln(l + x) — x\ < x 2 valid for all \x\ < 1/2Y 
we have 



|Xz-s|| 2 



Pz' 2 + 



- /r m-\-l 



+ /3 2 {Pz' + 



^ra-\-l 

bWb 



1 



l+log 6 (l-^±M + ^ m+1 



+ 



In 6, 



1 / -, ^m-\-l \ . ^m-\-l 

In ( 1 ; — ) + 




< 1 



< 1 + 8 
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Lemma 4 For a//0<7<l ; A>0 and all large enough n, if b is chosen at 
random from the set T of all products of n distinct primes less than n 2+27 , 
then with probability exponentially close to 1 there are at least n n elements 
g G r such that \b — g\ < Xb 1 . 

Proof: Let m be the number of primes less than n 2+27 . From the prime 
number theorem we have m > n 2+27 ~ 7 ' 3 for all large enough nT and 

|r| = (™) > (f)™ > n( 1+2 --'z) n . Notice that L C [0, n( 2+27 ">]. Divide 

[0,n^ 2+27 > n ] into k = nv~ ~* n intervals each of size nv + ~r. Let /& the 
interval containing b. We will prove that with probability exponentially close 
to one \g — b\ < Xb 1 for all g G i^Land \If, D T\ > n n . Let g G h- We have 
\g — b\ < |7ft| and 



Prfl/J > Xb 1 ) = Pr(6< A" ^ • \h\i ) < 



z+$)n 



x~- ■ \I h 

iri 



< ? — o — r^ = A t • n v 3 ' 



M"i 



To bound the size of If, D TV observe that each interval If, is chosen with 
probability |i& D L|/|L|. Therefore we have 




Pr(|/ 6 nL| <n n ) = Pr I Pr(/ 6 ) < — I = k- U 



r 



n • n" 3 > / 1 < — 



n\ 73, 



n 
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Lemma 5 For all cti 7 a 2 > 0, there exists 6i } 6 2} 6 3 £ (0,1) so that for all 
sufficiently large n the following holds: Assume that (S,X) is an n-uniform 
hypergraph, n 2 < \S\ < n ai , \X\ > 2 a2nlgn , k = n Sl and C\,...,C\ is a 
random sequence of pairwise disjoint subsets each with exactly \S\n~( 1+S2 > 
elements, with uniform distribution on the set of all sequences with these 
properties. Then, with probability of at least 1 — n~ S3 the following holds: for 
each f £ {0, l} k there is a T £ X so that f(j) = \Cj H T\ for all j . 

Proof: See Theorem 2.2 in [2]. □ 

We can now prove lemma 1. Let e be a positive constant less than 1/2 and 
let A; be a sufficiently large integer. Let 6i } 6 2} 6 3 be the constant defined in 
lemma 5 with a.\ = 2 + 4e _1 and a 2 = 1. Let n = k 1 ' 51 . Let L be the matrix 
defined in lemma 2 with p\ } . . . } p m the set of all primes less than n 2+4e and 
b chosen at random among the products of n distinct such primes. 

From lemma 2 we know that ||ivz|| 2 > 2 — e for all non-zero z £ Z m+1 . 

Let C £ {0, f} fcx ( m + 1 ) be the matrix defined by C hJ = 1 iff j £ C.Twhere 
Ci, . . . , Ck are the sets defined in lemma 5 with S = {p\ } . . . } p m }- 

For every x £ {0,l}*Tlet f(j) be the function f(j) = Xj. Define X to 

be the set of all T C S such that \T\ = n and \b — II te x^| < ~~ — ■ From 
lemma 4 (with 7 = e/2 and A = e/3) we have \X\ > n n = 2 nlgn rand from 
lemma 5 there exists a T £ X such that \Cj D T\ = f(j) for all j. Let 
z' £ {0, l} m be the indicator vector of the set TTg = liteTt and dehne the 
vector z = [(z') T |6 — g] T . Notice that |z m+ i| < ^— . We have Cz = xFand 
from lemma 2r||ivz|| 2 < 1 + e. 
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